kubernetes.io/cluster/<name>=shared tag being added to NAT Gateway that isn't managed by kops

[kashook]

Using kops 1.9.0 in AWS, I am creating a cluster where kops is allowed to create the subnets, but I specify pre-existing NAT gateways to use, like this:

  subnets:
  - cidr: 10.75.8.0/26
    egress: nat-xxxxxxxxxxxxxxxxx  # existing NAT gateway created with a separate terraform
    name: us-east-2a
    type: Private
    zone: us-east-2a
  - cidr: 10.75.8.64/26
    egress: nat-yyyyyyyyyyyyyyyyy  # existing NAT gateway created with a separate terraform
    name: us-east-2b
    type: Private
    zone: us-east-2b
  - cidr: 10.75.8.128/26
    egress: nat-zzzzzzzzzzzzzzzzz  # existing NAT gateway created with a separate terraform
    name: us-east-2c
    type: Private
    zone: us-east-2c

The NAT gateways are maintained outside of kops by a separate terraform. kops ends up adding a kubernetes.io/cluster/<name>=shared tag to these NAT gateways, which makes terraform want to delete the tags since it didn't create them. This feels very similar to #4265 I logged a few months ago where kops was tagging VPCs it didn't own, and in that case the decision was made to stop tagging VPCs that were not managed by kops. This feels very similar to me. It looks like #4767 was the reason why the shared tags were added to NAT gateways. It seems like it might be better to not tag them at all if kops didn't create them, and then also assume that they can't be deleted later since they aren't tagged as being owned (which, as was mentioned on #4767, is the general assumption now).

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.